Re: [asterisk-users] Executing shell commands via AMI
On Wed, Mar 16, 2011 at 01:33:24PM -0500, Tilghman Lesher wrote:
> On Wednesday 16 March 2011 13:14:40 Vinícius Fontes wrote:
> > action: command
> > command: ! /bin/ls -l /
>
> For security reasons, you cannot do this. This is intentional, not a bug.
> Consider the command 'rm -rf /' for the reason why.
I would not call this "security reasons". '!' does not run a shell
command by the Asterisk host. It allows the remoet Asterisk guest to
escape to a shell.
You might as well have run 'system("rm -rf /")' on the local client
connecting to the manager interface.
if (s[0] == '!') {
if (s[1])
ast_safe_system(s+1);
else
ast_safe_system(getenv("SHELL") ?
getenv("SHELL") : "/bin/sh");
} else
ast_cli_command(STDOUT_FILENO, s);
I'm root. Asterisk runs as user asterisk. '!' runs commands as user
root.
sweetmorn:~# id -a
uid=0(root) gid=0(root) groups=0(root)
sweetmorn:~# ps u `cat /var/run/asterisk/asterisk.pid `
USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND
asterisk 24280 0.6 0.6 122312 12620 ?Ssl 13:25 0:00 /usr/sbin/aster
sweetmorn:~# asterisk -r
[snip]
sweetmorn*CLI> !id -a
uid=0(root) gid=0(root) groups=0(root)
Asterisk does have an extra check for manager commands that may
potentially allow a remote user to inject a system command:
/* To run the System application (or anything else that goes to shell), you
must have the additional System privilege */
if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
&& (
strcasestr(app, "system") || /* System(rm -rf /)
TrySystem(rm -rf /)
*/
strcasestr(app, "exec") ||/* Exec(System(rm -rf /))
TryExec(System(rm -rf /)) */
strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
EAGI(/bin/rm,-rf /)
*/
strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)})
*/
strstr(appdata, "EVAL") /*
NoOp(${EVAL(${some_var_containing_SHELL})}) */
)) {
astman_send_error(s, m, "Originate with certain 'Application'
arguments requires the additional System privilege, which
you do not have.");
So indeed 'write=command' was not enough here. write='command,system' is
more like it. If you know what you're doing (or have a system to play
with, or whatever).
Also note that if you run Asterisk as a non-root user, system() will not
make the code magically run as root. Did I mention you should avoid
running Asterisk as root?
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.co...@xorcom.com
+972-50-7952406 mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
In article <4d812911.6080...@venturevoip.com>,
Matt Riddell wrote:
> On 17/03/11 9:53 AM, Vinícius Fontes wrote:
> > No increased security, lots of hassle, all because there's an
> > undocumented "feature" that is supposed to increase security but just
> > takes functionality away.
>
> If you really want to you could add some dialplan like:
>
> [dangerous]
> exten => s,1,System(${somecommand})
>
> and use the manager to set the somecommand variable on a call you send
> to the "dangerous" context.
>
> Up to you.
I seem to remember the Asterisk GUI using this technique too. Although
perhaps it had canned shell commands in the dialplan rather than allowing
anything through.
Cheers
Tony
--
Tony Mountifield
Work: t...@softins.co.uk - http://www.softins.co.uk
Play: t...@mountifield.org - http://tony.mountifield.org
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
On Wed, 16 Mar 2011, Vinícius Fontes wrote: But I really don't see much of a threat on this. AGI does almost the same. I thought you didn't want to start a flamefest :) The security risk of AGI would be 'the same' if you provide a method for a miscreant to create a file on your Asterisk server, make it executable, modify your dialplan, reload the dialplan and execute that section of the dialplan. If all these conditions are already in place, your definition of 'secure' is different than mine. The ability to [remotely] execute a shell command via AMI does sound interesting. Can you describe where this would be needed and could not be accomplished with existing tools like ssh and sudo? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
If you want total control from AMI then point at an extension that you can set variables to commands and arguments, call an AGI and set variables that can be passed back to AMI via user events. -- Jim Dickenson mailto:dicken...@cfmc.com CfMC http://www.cfmc.com/ On Mar 16, 2011, at 3:03 PM, Danny Nicholas wrote: > > From: asterisk-users-boun...@lists.digium.com > [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Vinícius Fontes > Sent: Wednesday, March 16, 2011 5:02 PM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] Executing shell commands via AMI > > But what about if asterisk running with non-privilege user? > > Still it is not a good idea. > > Yes I forgot to say that I also run Asterisk as a regular user, which also > helps with security. > > But I really don't see much of a threat on this. AGI does almost the same. > > This won’t help but I’ll chip in anyway. In AGI, you have “total” local > control. In AMI, it’s a crap shoot. > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
_ From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Vinícius Fontes Sent: Wednesday, March 16, 2011 5:02 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Executing shell commands via AMI But what about if asterisk running with non-privilege user? Still it is not a good idea. Yes I forgot to say that I also run Asterisk as a regular user, which also helps with security. But I really don't see much of a threat on this. AGI does almost the same. This wont help but Ill chip in anyway. In AGI, you have total local control. In AMI, its a crap shoot. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
But what about if asterisk running with non-privilege user? Still it is not a good idea. Yes I forgot to say that I also run Asterisk as a regular user, which also helps with security. But I really don't see much of a threat on this. AGI does almost the same. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
- Mensagem original -
On 17/03/11 9:53 AM, Vinícius Fontes wrote:
> No increased security, lots of hassle, all because there's an
> undocumented "feature" that is supposed to increase security but just
> takes functionality away.
If you really want to you could add some dialplan like:
[dangerous]
exten => s,1,System(${somecommand})
and use the manager to set the somecommand variable on a call you send
to the "dangerous" context.
Up to you.
--
Cheers,
Matt Riddell
Very clever! Thanks for sharing.--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
But what about if asterisk running with non-privilege user? Still it is not a good idea. -- Sent from my iPhone On Mar 16, 2011, at 2:33 PM, Tilghman Lesher wrote: On Wednesday 16 March 2011 13:14:40 Vinícius Fontes wrote: action: command command: ! /bin/ls -l / For security reasons, you cannot do this. This is intentional, not a bug. Consider the command 'rm -rf /' for the reason why. -- Tilghman -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
On 17/03/11 9:53 AM, Vinícius Fontes wrote:
No increased security, lots of hassle, all because there's an
undocumented "feature" that is supposed to increase security but just
takes functionality away.
If you really want to you could add some dialplan like:
[dangerous]
exten => s,1,System(${somecommand})
and use the manager to set the somecommand variable on a call you send
to the "dangerous" context.
Up to you.
--
Cheers,
Matt Riddell
___
http://www.venturevoip.com/news.php (Daily Asterisk News)
http://www.venturevoip.com/exchange.php (Full ITSP Solution)
http://www.venturevoip.com/cc.php (Call Centre Solutions)
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
- Mensagem original - On Wednesday 16 March 2011 14:11:21 Vinícius Fontes wrote: > > I understand the concern with security but why not create a separate > > authorization allowing that instead of hard-coding it? > > I understand the concern with security but why not create a separate > authorization allowing that instead of hard-coding it? Clearly, you don't understand the problem with security, because you're asking that question. If you want to run shell commands on the Asterisk server, create your own SSH connection to the server, become root, and run those commands. -- Tilghman I do understand the problem with security and this is my last message, since I have no intention to start a flame war. When we're dealing with security we're always balancing three factors: usability, risk, flexibility. You change one, you change the other two. This is not about a security flaw but about a lack of flexibility. I could make my remote management system use the existent SSL-encrypted AMI session (that will only accept connections from specific IP addresses, aside from incoming connections being filtered by iptables) to run shell commands, but now I have to allow SSH access to achieve the very same thing. Last time I checked the listening ports, the higher security risks are. Also, many of the boxes I manage are behind NAT, so I'll have to ask my customers to reconfigure their firewalls to allow SSH access from the remote management system. No increased security, lots of hassle, all because there's an undocumented "feature" that is supposed to increase security but just takes functionality away. Thank you for your attention. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
On Wednesday 16 March 2011 14:11:21 Vinícius Fontes wrote: > > I understand the concern with security but why not create a separate > > authorization allowing that instead of hard-coding it? > > I understand the concern with security but why not create a separate > authorization allowing that instead of hard-coding it? Clearly, you don't understand the problem with security, because you're asking that question. If you want to run shell commands on the Asterisk server, create your own SSH connection to the server, become root, and run those commands. -- Tilghman -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
- Mensagem original - On Wednesday 16 March 2011 13:14:40 Vinícius Fontes wrote: > action: command > command: ! /bin/ls -l / For security reasons, you cannot do this. This is intentional, not a bug. Consider the command 'rm -rf /' for the reason why. -- Tilghman I understand the concern with security but why not create a separate authorization allowing that instead of hard-coding it? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Executing shell commands via AMI
On Wednesday 16 March 2011 13:14:40 Vinícius Fontes wrote: > action: command > command: ! /bin/ls -l / For security reasons, you cannot do this. This is intentional, not a bug. Consider the command 'rm -rf /' for the reason why. -- Tilghman -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Executing shell commands via AMI
I'm trying to run a shell command from AMI, but I guess I'm doing something wrong or there's a bug because no matter what command I try I always get a null response. Running the latest 1.6.2 release. On manager.conf I have: [test] secret = test deny = 0.0.0.0/0.0.0.0 permit=127.0.0.1 read = command write = command And my session is as follows: pabx:~# telnet localhost 5038 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Asterisk Call Manager/1.1 action: login username: test secret: test Response: Success Message: Authentication accepted action: command command: ! /bin/ls Response: Follows Privilege: Command --END COMMAND-- action: command command: ! /bin/ls -l / Response: Follows Privilege: Command --END COMMAND-- action: logoff Response: Goodbye Message: Thanks for all the fish. Connection closed by foreign host. Any ideas on how to make this work or should I file a bug report? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
